I am managing a site hosted on aws ec2 using nginx. To avoid threats continuously monitoring nginx logs ( access.log & error.log). Though many threats are well managed by tweaking nginx.conf, but this specific one I am not even able to figure out how attacker manage to send such request.

access.log
xx.xxx.xx.xxx - - [18/Aug/2021:09:04:13 0000] "GET http://xxxxxxxxx.com/ HTTP/1.1" 200 1400 "-" "Go-http-client/1.1"

In above case let's say name of my website is "h ttp://abc-xyz-1234.com", attacker is passing url in path (i.e. http://xxxxxxxxx.com/ ), and nginx responding with "200". I am still scratching my head how was request made and what was responded with 1400 of bytes ( response length still much lesser than website response site for path "/" ).

As I believe its not possible through browser, I tried to simulate using curl but it wouldn't work.

1. it is considered 2 separate request to curl
   curl -A Mozilla h ttp://abc-xyz-1234.com/ http://xxxxxxxxx.com

2. invalid domain
   curl -A Mozilla h ttp://abc-xyz-1234.comhttp://xxxxxxxxx.com

3. it will hit host with path /http://xxxxxxxxx.com and get rejected. Attacker is manage to send it without prefix "/" and thats what trying to simulate
   curl -A Mozilla h ttp://abc-xyz-1234.com/http://xxxxxxxxx.com

CodePudding user response：

You can use --request-target for this:

curl -A Mozilla http://abc-xyz-1234.com --request-target http://xxxxxxxxx.com